With significant input from Orrick’s Cybersecurity, Privacy and Data Innovation team, the influential Sedona Conference and its Working Group 11 last week published important guidance on the application of the attorney-client privilege and work-product protection in the cybersecurity context. The comprehensive Sedona Conference commentary provides a framework for federal and state policymakers to amend existing law in several respects, including carving out a limited privilege for information prepared in the cybersecurity context without the involvement of lawyers.

Partner Doug Meal, head of our cyber and privacy litigation practice, served as vice-chair of the conference’s Working Group 11 steering committee and editor-in-chief of the team that drafted the commentary, released in April for public comment. The conference’s Working Group 11 is the body charged with addressing legal issues in the Privacy & Cybersecurity area, and its membership includes a cross-section of prominent plaintiffs’ and defense lawyers, regulators, forensic experts, law professors, judges, in-house counsel and others who specialize in privacy & cybersecurity law.

The Commentary released last week evaluates the application of the attorney-client privilege and work-product protection to an organization’s cybersecurity information (CI). The Commentary seeks to move the law forward by assessing the arguments for and against the discoverability of CI being determined under general principles of attorney-client privilege and work-product protection law as opposed to modifying those principles in the context of CI. Finally, the Commentary considers various proposals for adapting existing attorney-client privilege and work-product protection law, or developing entirely new protections, in the CI context.

Doug and David Cohen, Of Counsel in our cyber and privacy practice who also worked on the project, provide these key takeaways from the Commentary, which will be particularly useful to in-house counsel seeking to understand what factors courts currently use to determine whether the privilege and protection will apply to documents/communications generated before and after a cyber breach.

Among the key findings:

There are only a handful of cases addressing whether the attorney-client privilege or work-product protection applies in the cybersecurity context under current law, but those that do provide invaluable guidance:

The primary question courts look to here, just like outside the cybersecurity context, is whether the communication was made to solicit or render legal advice or in anticipation of litigation.

Companies seeking to claim the privilege or protection will need to be prepared to prove up their claim. The privilege/protection determination is heavily influenced by the degree to which lawyers were involved in the circumstances surrounding the creation of the information. But merely getting counsel involved in a project does not automatically make the documents or communications protected. Rather, courts will carefully scrutinize the evidence, including declarations companies submit, to assess whether legal advice was the primary purpose of the document/communication and whether it was made because of anticipated litigation.

Using outside counsel for legally driven cybersecurity projects can strengthen a company’s privilege/protection claim. Communications with in-house counsel may be less likely to be considered privileged, particularly with respect to documents that arguably have both a business and legal purpose (e.g., security assessments or breach investigations), since it may be less clear to the court whether legal concerns were the driver.

Companies seeking to preserve the privilege or protection will need to be careful when sharing CI. Disclosing it to the wrong people outside the company, or sometimes even within the company, can waive the privilege or protection.

The Sedona Conference Commentary advocates for an expansion of the protection afforded to CI under current law. Specifically, it calls for a qualified stand-alone cybersecurity privilege that would not depend on whether lawyers and/or litigation concerns were sufficiently involved in the creation of the information, and it calls for a “no waiver” doctrine providing that disclosure of CI to law enforcement would not waive any privilege or protection.

Seasoned trial lawyer Doug Meal defends clients targeted by litigation and government investigations stemming from major privacy and cybersecurity incidents. According to Chambers USA, clients select Doug because “[h]e is the premier expert in this field and knows how to run a breach response process from A to Z”; is “extremely experienced [and] can give immediate advice off the top of his head”; “has been in court through trials and negotiations, all aspects of the litigation, and is highly effective in all of them”; and “is good to work with, personable and very authoritative.” Based on client assessments like these, Chambers USA has named Doug as the first and only “Band 1” litigator in the Privacy and Data Security category, describing him as the “market leader,” being “regarded by market sources as the leading privacy litigator in the USA.”

As the lead outside lawyer handling claims stemming from the data security breaches suffered by Target, Neiman Marcus, The Home Depot, Hilton Worldwide, Landry’s, Arby’s, Supervalu, Sally Beauty, Sony, Heartland Payment Systems, TJ Maxx, Hannaford Brothers, Aldo, Genesco, and Wyndham Hotels—some of the most highly publicized data security breaches in recent years—Doug has become the national leader in defending companies that suffer significant cybersecurity breaches involving consumer information against the ensuing claims and regulatory investigations. Doug’s recent successes include leading the team that prevailed in the closely-watched LabMD v. FTC, convincing the U.S. Court of Appeals for the Eleventh Circuit to become the first court ever to overturn a cybersecurity enforcement action by the Federal Trade Commission.

David’s practice focuses on complex litigation, particularly in the area
of privacy and data security. He has extensive experience working with
corporate clients that have suffered data breaches or have been accused of
privacy violations, defending them against class actions and claims asserted by
payment card brands and representing them in connection with federal and state
government actions.

In addition, David is a thought leader in the area
of privacy and cybersecurity, publishing extensively on the latest issues in
the space and serving as a resource to reporters and others writing on breaking
legal developments. David is also an active member of the Sedona Conference
Working Group 11 on Data Security and Privacy Liability.

Please read before sending e-mail.

Please do not include any confidential, secret or otherwise sensitive information concerning any potential or actual legal matter in this e-mail message. Unsolicited e-mails do not create an attorney-client relationship and confidential or secret information included in such e-mails cannot be protected from disclosure. Orrick does not have a duty or a legal obligation to keep confidential any information that you provide to us. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.

By clicking "OK" below, you understand and agree that Orrick will have no duty to keep confidential any information you provide.